1. Technical Field
Embodiments of the invention relate to wireless data networks. In particular, the invention provides for connections to wireless data networks from routers within secured facilities, e.g., TEMPEST certified facilities.
2. Discussion of Art
Certain organizations (e.g., financial institutions, electrical transmission operators, law firms, industrial research organizations, and the like) have multiple geographically dispersed locations where in the normal course of operations data must be securely stored and among which data must be securely communicated. Such organizations will be referred to hereafter as “data reliant organizations.”
Data communication conventionally has been accomplished using landline (either copper or fiber cable) as well as wireless connectivity. Landlines are expensive to install and are relatively vulnerable to compromise whereas wireless connections can be established and modified relatively conveniently (therefore, cheaply); can provide mode redundancy (e.g. by multichannel transmission and reception, as disclosed in companion “ROUTER” application); and are perhaps less vulnerable to compromise (by spectrum-spreading or other intercept-resistant protocols, which also can enhance data throughput, again as disclosed in companion “ROUTER” application). Accordingly, it has become popular to provide for wireless data transmission among the dispersed locations of data reliant organizations.
For enterprise level and M2M use cases, cellular data connectivity at the endpoint is frequently implemented via a wireless router. Referring to FIG. 1, in a typical installation, a cellular-wireless router 10 forms a bridge between a commercial or proprietary wide-area network (WAN) and a TCP/IP compatible port or ports or other application specific I/O facilities. Typically, the cellular-wireless router includes a CPU, at least one cellular transceiver, an Ethernet PHY and either an integrated cellular antenna or connection facilities for an external cellular antenna 12. Connectivity between the router and associated/supported peripheral equipment 14 may be via metallic circuit, optical fiber, optical broadcast or wireless methods. All of these components are maintained within a secured location such as a datacenter 50.
However, in many installation scenarios where a router is to be co-located with other equipment in a secure location, it is impossible to achieve/maintain adequate wireless signal strength at the router to support reliable cellular router operation. Router installation in a subterranean datacenter facility may serve as one example, while an automated teller machine installed deep inside a building structure is another. In either case, a co-located antenna (as shown in FIG. 1) may provide inadequate signal access or none at all.
A logical and existing solution, as shown in FIG. 2, may be to move the router's separate antenna 12 to a location outside the datacenter 50, where there is improved wireless signal access, and to extend the RF signal over a sufficiently long network cable 30 from the antenna back to the router 10. In certain instances this approach is possible, but typically, the maximum distance between the router and antenna is severely limited by cable attenuation. Thin coax cables (eg: RG-178) can attenuate the signal of interest (1900 MHz for 3G service) by as much a 1 dB per foot of length. At this rate of attenuation, the energy loss doubles for every 3 feet of additional cable length and with typical cellular transceivers. Though signal distances can be improved by virtue of specialized, esoteric cable types, cable runs of more than about ten feet (3 m) can prove impractical in many real-world installations.
Another solution may be to move the router and antenna to a location with favorable signal access and accomplish the extended connection between router and connected equipment via TCP/IP (or LAN) baseband signal domain. This approach can serve well in some instances where the router's remote location is acceptable from a security and physical accommodation standpoint. However, in this configuration, the router generally will be placed in a non-secure or possibly public location and the LAN connectivity can be vulnerable to interception, interrogation or tampering. Additionally, the operating environment may be poorly, if at all controlled. Thus, this “solution” actually is just a restatement of the problems that can be resolved by putting the router in a controlled location.
Such a restatement of the original problem is of particular concern given recent discoveries about capabilities for remote infiltration of electronic devices, either for surveillance or sabotage. For example, common hardware components (e.g., cable connectors, memory chips) can be compromised by insertion of transponders that permit unauthorized wireless access to digital instructions or data, possibly from any location within more than fifty square miles surrounding the compromised component. Thus, such components can permit essentially undetectable server-side access to “clear” data, that is, data not protected by any encryption technology. This newly-public technology thereby enables covert monitoring and modification of critical data streams (e.g., financial account data and transfer instructions; electrical network load data and distribution breaker position commands).
Although only governmental possession of remote transponders has been publicized, it is highly likely that illicit actors also have obtained possession of similar technology, either by outright purchase, by subversion of government officers, or by reverse engineering. Accordingly, data reliant organizations are subject to a server-side risk of data interception or manipulation by bad actors. This is and will increasingly become a business-critical concern for data reliant organizations, particularly financial institutions.
Accordingly, it would be desirable for data reliant organizations to maintain critical data servers within a facility resistant to wireless penetration, e.g., a TEMPEST certified facility, while still retaining an ability to provide for wireless broadband communication among the critical data servers at the geographically dispersed locations.
Use of TEMPEST precautions raises and amplifies all of the issues discussed above with reference to router installation within a merely inconvenient location, as opposed to an intentionally shielded location.